New Security Patch (SUPEE-6788), CE 1.9.2.2 & EE 1.14.2.2 Released

Magento has recently released a new security patch (SUPEE-6788) which is going to impact the security issues in Magento specifically related to the admin URL routing, Possible SQL injection and prevention to direct unauthorized access of information.

Along with the patch, Magento has also released Community Edition 1.9.2.2 and Enterprise Edition 1.14.2.2. These newer editions come with security patch set in core itself and do not need any other current or past patches to be installed separately.

While for security reasons, it is very much important for you to get this patch installed, the patch will stop certain extensions and customization working on a store. Click here for the full list of such extensions.

We are working on updates and changing the mechanism to ensure the correct performance of one of our affected extensions (Delete Orders).

SUPEE-6788 includes protection against the following security-related issues:

Error Reporting in Setup Exposes Configuration
Error messages generated during the Magento installation, or during a failed extension installation, can expose the Magento configuration and database access credentials. In most cases, the database server is configured to prevent external connections. In other cases, the information can be exploited, or tied to another attack.

Filter Directives Can Allow Access to Protected Data
Email template filter functionality can be used to call blocks and expose customer information such as last orders, or integration passwords. Although safe when used internally by Magento, it has been reported that this functionality might be used by some external extensions to process blog comments and other user input. Such use of the email template filter functionality can expose protected information on the storefront.

XXE/XEE Attack on Zend XML Functionality Using Multibyte Payloads
Magento can be forced to read XML via API calls that contain ENTITY references to local files, which makes it possible to read password or configuration files. Although Zend Framework filters out ENTITY references, they can be encoded as multibyte characters to avoid detection.

Potential SQL Injection in Magento Core Model Base Classes
The addFieldtoFilter method does not escape the field name. Although core Magento functionality is not affected, this issue might impact third-party extensions, such as those used for layered navigation. Such extensions might be exploited from the storefront to execute any SQL queries.

Potential Remote Code Execution Using Cron
The cron.php script is available for anyone to call. Because the script can make command line functions calls, it becomes a potential target for the Shellshock vulnerability.

Additionally, because the command that is passed to shell is not escaped, a directory with the same name as a shell command can be used to execute code.

Such an attack requires access to create directories with arbitrary names, such as hosting panel. Although the severity is ranked as high, the attack is not exploitable by itself.

Remote Code Execution / Information Leak Using File Custom Option
Custom option values are not cleared when the custom option type is switched. This makes it possible to inject malicious serialized code into a custom option of the “text” type, and execute it by switching the custom option type to “file.” This remote code execution attack requires the store to use custom options, and have an administration account with access to catalog/products.

Additionally, the manipulation of custom options from the storefront makes it possible to read system files.

Cross-site Scripting with Error Messages
Error messages on storefront pages are not escaped correctly, which makes the site vulnerable to cross-site scripting.

Potential Remote Code Execution Using Error Reports and Downloadable ProductsIt is possible to put unvalidated information, including code, into error report files. When combined with Admin access to the catalog, an attacker can create a fake downloadable product that executes PHP code that was previously uploaded to the server.

To fully execute the attack, the attacker must have valid credentials for an Admin account that has full permission to access product resources.

Admin Path Disclosure
Although this patch is disabled by default, it helps protect against automated attacks. By calling a module directly, an attacker can force the Admin Login page to load in the browser. The Admin URL appears in the address bar, which makes it easier to launch a password attack.

Insufficient Protection of Password Reset Process
The token that is used to reset a password is passed with a GET request, and is not canceled after use. As a result, the token can be leaked through the referrer field to all external services that are called on the page, such as image servers, analytics, and ads. The token might then be reused to steal the customer’s password.

Dev Folder Not Protected
The Magento dev folder, including functional tests, lacked a proper .htaccess file to prevent browser access. As a best practice, all files and directories that are not intended for public view should be protected.

All these new releases are fully tested, complete and ready for merchants to deploy. We strongly encourage you to implement the patch or upgrade to the new versions as soon as possible.